alternatives for bootloader --password ?

From: "Gabriel L. Somlo" <gsomlo gmail com>

To: anaconda-devel-list redhat com

Subject: alternatives for bootloader --password ?

Date: Mon, 28 Jan 2013 15:26:02 -0500

I run a student lab of Fedora machines, and have taken various
steps to eliminate unwanted modifications by users (physical
case locks, BIOS password, GRUB password, reduced PackageKit
and ConsoleKit privileges for console users, etc).
I also like to be able to openly publish my kickstart file(s),
and have therefore avoided including any passwords in it (and
managed to do so successfully in F16).
With F16, I could comment out the "bootloader" line in the
kickstart file, and have Anaconda provide a bootloader dialog
which included the ability to enter the bootloader password
interactively (similarly to how the system root password is
handled).
With F18, I noticed that's no longer possible: leaving out
"bootloader" in kickstart seems to result in an unbootable
system, and the only available method to lock GRUB is to
provide a '--password' option to the "bootloader" line within
the ks file itself.
I'm wondering what other alternatives there might be for
--password in future versions ?
Would it be reasonable to e.g. reuse the system root password
in GRUB
(e.g. "bootloader --location=mbr --boot-drive=sda --use-root-pw") ?
The default username created by Anaconda (in /etc/grub.d/01_users)
is "root", and the person/group with privileges to edit/modify
the boot parameters is most likely the same as system-root (I'm
having trouble coming up with scenarios in which that's not the
case), so the security posture would be most likely unaffected
by this.
Of course, restoring the ability to have an Anaconda dialog for
the bootloader password would also be nice, if the above turns
out to be hard, or a bad idea for reasons I can't think of right
now.
Please let me know what you think (and I'm missing anything
obvious).
Thanks much,
--Gabriel